Wednesday, August 10, 2016

Windows 10 "Anniversary Update"

"The Anniversary Update is, technically, version 1607, and it is far more than a service pack." according to ZDNet.
It's being pushed out by Microsoft to Windows 10 PCs in a rolling fashion starting last week.  I got mine this morning.  Here's what I've observed.
  • It took more than an hour to download and install the update on my PC.  Your speed may vary depending on your internet connection, your hardware and your software.
  • Continuing change for the sake of change.
    • "Several major groups of options, including networking, have now moved almost entirely to the new Settings app," (ZDNet op cit.).
    • Cortana returns (It was wrong for you to decline to use Corntana before.  Now you cannot turn off Cortana without hacking the registry.  See here.)
    • It was also wrong for you to fiddle with the privacy settings before.  You have to fiddle with them all again to re-close the earlier loopholes and to close some new ones this update adds.
Microsoft wants you to think of Windows 10 as a service, where new features arrive as they're ready.  They promise that there will be frequent "feature updates" as well as cumulative monthly "quality updates."  I expect that it also means that we are in for:
  • A siege on our privacy where every round of updates requires re-closing loopholes.
  • Frustration when Microsoft decides that there is a better way to do something that everyone already knows how to do.

Monday, July 11, 2016

How to P2V Active Directory Servers

Or how to "sandbox" your Windows 2008 production environment for free. 


Easy steps (Google if you need help):
  1. Take a bare-metal backup of your AD server(s) using Windows Server Backup to an external drive.
  2. Download XenServer from xenserver.org and install it on your Sandbox host machine. 
  3. Download XenCenter from xenserver.org and install it on your Sandbox management PC. 
  4. This is important:  Make sure the Sandbox is on a separate network from the production environment.  Sandbox network traffic should have no pathway to the production environment.
  5. Instantiate the virtual machine(s) on the Sandbox host machine.  
  6. Restore backup image(s) to virtual machine(s).  Now the restored, P2V server(s) will boot to the BSOD.
  7. Use this guide to tell Windows to load the driver for the (intelide) virtual hard disk. This will resolve the BSOD you were getting when starting the VM(s).
  8. Install XenServer Tools on the VM(s). Install XenServer Tools before you activate Windows, otherwise you will have to activate again after installing XenServer Tools.
  9. Activate Windows VM(s).  
  10. Take the VM(s) off the Internet and set change the properties of the VM’s network adapter.  Give it the static LAN IP, DNS, etc. of the physical machine.  NB, the DNS of the VM should point at itself.
Now is the part that is not well documented.  The VM(s) boot, but you can only access them from the Console in XenCenter.  If you try to use Remote Desktop from the management PC to access the VM(s), login fails with the message, “the specified domain could not be contacted.”  AD is broken and all sorts of AD and Group Policy errors problems are recorded in the Event Viewer.

To fix the problems and get AD and Group Policies working (mostly), here's what you need to do: 
  1. Click Start, and then click Run.
  2. In the Open box, type cmd and then press ENTER.
  3. In the Command box, type "net stop ntfrs", without quotes.
  4. Click Start, and then click Run.
  5. In the Open box, type regedit and then press ENTER.
  6. Locate the following subkey in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
  7. In the right pane, double click BurFlags.
  8. In the Edit DWORD Value dialog box, type D4 and then click OK.
  9. Quit Registry Editor, and then switch to the Command box.
  10. In the Command box, type "net start ntfrs", without quotes.
  11. Quit the Command box.
Reboot and the VM is fixed! Active Directory is working and you can RDP to the VM from the management PC.  Note that if you have multiple AD VMs in your Sandbox, only the first one gets the DWORD Value of D4 in Step 8.  Subsequent VMs should get a DWORD Value of D2.

Some of you may not be content with just the hows; you also want to know the whys.  Here's some smoke and mirrors that might satisfy you - it satisfied my curiosity.
  1. Any Active Directory domain that was created using domain controllers running Windows Server 2003 or earlier will use the File Replication Service (FRS) for SYSVOL replication until it is migrated to Distributed File System Replication (DFS-R). This is true even if there are no longer any Windows Server 2003 DCs in the domain and the domain functional level is at Windows Server 2008 or above. 
  2. Various issues can cause FRS replica sets to stop replicating between DCs. The most common symptom of this is the lack of a SYSVOL share on one or more DCs in a domain. 
  3. SYSVOL replication and Active Directory replication use two separate mechanisms, and it is possible for one to work perfectly and the other to fail.
  4. To determine whether DFSR or FRS is being used on a domain controller that is running Windows Server 2008, check the value of theHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used. If the subkey does not exist, or if it has a different value, FRS is being used.
  5. System state backups for Windows domain controllers do not include the FRS database that maintains state information for the FRS service pertaining to the files within the SYSVOL folder and other content sets. The FRS database, debug logs, staging area files, and files in the pre-existing data folder are excluded from a system state backup. 
  6. An "authoritative restore" of FRS is necessary for SYSVOL and AD to work on a P2V Domain Controller (DC).  A"non-authoritative restore" of FRS on a P2V DC works if there are other working DCs on the LAN/Sandbox.